Apply suggestions from code review

Co-authored-by: Rebecca Tamachiro <[email protected]>

Author: securitypedant

src/content/docs/reference-architecture/diagrams/network/bring-your-own-ip-space-to-cloudflare.mdx

@@ -12,41 +12,43 @@ updated: 2024-10-24
 
 ## Introduction
 
-Cloudflare brings security and performance to our customers' digital estates. However, one of the challenges with proxying services is that interactions on the web (for example, DNS queries, web requests to Internet or SaaS services, etc.) that go to Cloudflare will appear to the world as coming from Cloudflare IP space. This can create challenges for some enterprises.
+Cloudflare brings security and performance to our customers' digital estates. However, one of the characteristics of proxying services is that interactions on the web that go to Cloudflare (DNS queries or requests to SaaS providers, for example) will appear to the world as coming from the Cloudflare IP space. This can create challenges for some enterprises.
 
-For example, partners or other B2B relationships may use public IP space owned by a customer for attestation and attribution in various transactions. They may look at the resolved address for a public hostname (for example, [www.example.com](http://www.example.com)) and expect that IP to match a specific range or address known to be owned by the customer.
+For example, partners or other B2B relationships may use the public IP space owned by a customer for attestation and attribution in various transactions. They may look at the resolved address for a public hostname (for example, `www.example.com`) and expect that IP to match a specific range or address known to be owned by the customer.
 
-Cloudflare allows customers to Bring Your Own IP (BYOIP) which allows enterprises to bring their IP space to Cloudflare, thus gaining the security and performance of the Cloudflare platform while still appearing to the rest of the world via their own public IP space. This reference architecture diagram will highlight the different ways customers can bring their IP space to the Cloudflare network and the benefits that are achieved.
+[Bring Your Own IP (BYOIP)](/byoip/) allows enterprises to bring their IP space to Cloudflare, thus gaining the security and performance of the Cloudflare platform while still appearing to the rest of the world via their own public IP space. This reference architecture diagram highlights the different ways customers can bring their IP space to the Cloudflare network and the benefits that are achieved.
 
 ## BYOIP scenario one \- Cloudflare proxy services
 
-The default behavior when a DNS query is made to a Cloudflare proxied hostname will be to return one of Cloudflare's [default anycast IP addresses](https://www.cloudflare.com/ips/). The traffic is then accelerated, protected, and if not served by Cloudflare cache, sent to the customer's origin server.
+The default behavior when a DNS query is made to a Cloudflare proxied hostname will be to return one of Cloudflare's [default anycast IP addresses](https://www.cloudflare.com/ips/). The traffic is then accelerated, protected, and, if not served by Cloudflare cache, sent to the customer's origin server.
 
-In the diagram below, the customer wants to proxy traffic through Cloudflare's application services platform, but wants any DNS queries to return an IP address that is owned by that customer but still benefits from Cloudflare's anycast network. There are two different network ranges used in this example.
+In the diagram below, instead of the default behavior, traffic will proxy through Cloudflare's application services platform but DNS queries will return an IP address that is owned by the customer while also benefiting from Cloudflare's anycast network. 
 
-- 152.3.15.0/24 \- Customer owned IP range that will be associated with the Cloudflare network.
-- 152.3.14.0/24 \- Customer owned IP range that will continue to be associated with their origin network.
+There are two different network ranges used in this example:
+
+- `152.3.15.0/24` \- Customer owned IP range that will be associated with the Cloudflare network.
+- `152.3.14.0/24` \- Customer owned IP range that will continue to be associated with their origin network.
 
 ![Figure 1: Cloudflare announces customer IP range and proxies it to the origin server IP.](~/assets/images/reference-architecture/bring-your-own-ip-space-to-cloudflare/figure1.svg "Figure 1: Cloudflare announces customer IP range and proxies it to the origin server IP.")
 
-1. In order for Cloudflare to respond to DNS queries with addresses from the customer's space, a Letter of Agency must be provided by the customer to Cloudflare, so that it can be provisioned and advertised by Cloudflare. This example address space (152.3.15.0/24) must be dedicated for Cloudflare's configuration and not used anywhere within the customer environment.
-2. The Cloudflare DNS configuration for the origin server [www.abc.com](http://www.abc.com) is configured with the IP address 152.3.14.10/32.
-3. A DNS query for [www.abc.com](http://www.abc.com) is made.
-4. Cloudflare returns an address from the customer's space that was previously configured from BYOIP space provided by the customer. In this case, the response was 152.2.15.200 which is a part of the /24 prefix of 152.2.15.0/24.
-5. The eyeball sends a request to 152.2.15.200 which is routed to the Cloudflare edge.
-6. Cloudflare proxies the connection, using the SNI (www.abc.com) to determine the actual origin IP, 152.3.14.10. The request is then routed through Cloudflare's proxy services, such as DDoS protection, Web Application Firewall, and Bot Management.
-7. Successful requests are sent to origin (if not served by cache) to 152.3.14.10 with a source IP of the Cloudflare edge.
+1. In order for Cloudflare to respond to DNS queries with addresses from the customer's space, a Letter of Agency (LOA) must be provided by the customer to Cloudflare, so that the addresses can be provisioned and advertised. This address space (in the example, `152.3.15.0/24`) must be dedicated for Cloudflare's configuration and not used anywhere within the customer environment.
+2. The Cloudflare DNS configuration for the origin server `www.abc.com` is configured with the IP address `152.3.14.10/32`.
+3. A DNS query for `www.abc.com` is made.
+4. Cloudflare returns an address from the customer's space that was previously configured from a BYOIP space provided by the customer. In this case, the response was `152.2.15.200`, which is a part of the `/24` prefix of `152.2.15.0/24`.
+5. The eyeball sends a request to `152.2.15.200` which is routed to the Cloudflare edge.
+6. Cloudflare proxies the connection, using the SNI (`www.abc.com`) to determine the actual origin IP, `152.3.14.10`. The request is then routed through Cloudflare's proxy services, such as DDoS protection, Web Application Firewall, and Bot Management.
+7. Successful requests are sent to origin (if not served by cache) to `152.3.14.10` with a source IP of the Cloudflare edge.
 
 ## BYOIP scenario two \- network DDoS protection
 
-Cloudflare is well known for its DDoS mitigation services protecting public websites and APIs, and the same technologies can also be used to protect entire networks. Cloudflare's Magic Transit service offers a cloud based network DDoS mitigation service for our customers' public IP space.
+Cloudflare is well known for its DDoS mitigation services protecting public websites and APIs. The same technologies can also be used to protect entire networks. Cloudflare's [Magic Transit](/magic-transit/) service offers a cloud-based network DDoS mitigation service for our customers' public IP space.
 
-![Figure 2: Protection against DDoS attacks can be placed in front of the BYOIP range in front your Cloudflare tunneled network.](~/assets/images/reference-architecture/bring-your-own-ip-space-to-cloudflare/figure2.svg "Figure 2: Protection against DDoS attacks can be placed in front of the BYOIP range in front your Cloudflare tunneled network.")
+![Figure 2: Protection against DDoS attacks can be placed in front of the BYOIP range in front of your Cloudflare tunneled network.](~/assets/images/reference-architecture/bring-your-own-ip-space-to-cloudflare/figure2.svg "Figure 2: Protection against DDoS attacks can be placed in front of the BYOIP range in front of your Cloudflare tunneled network.")
 
-1. In order for Cloudflare to attract traffic destined for customer network prefixes, a Letter of Agency must be provided by the customer to Cloudflare, so that it can be provisioned and advertised by Cloudflare to the Internet.
-2. Once provisioned, Cloudflare will advertise the customer prefix(es) attracting traffic destined for those networks to the Cloudflare edge.
+1. In order for Cloudflare to attract traffic destined for customer network prefixes, a Letter of Agency (LOA) must be provided by the customer to Cloudflare, so that the network prefixes can be provisioned and advertised.
+2. Once provisioned, Cloudflare will advertise the customer prefixes to the Internet, attracting traffic destined for those networks to the Cloudflare edge.
 3. All traffic destined for those prefixes is routed to the Cloudflare edge.
-4. DDoS traffic is mitigated at the edge and legitimate traffic is directed back to customer networks via [tunnels](/magic-wan/) or [Cloudflare Network Interconnect](/network-interconnect/) (CNI) on ramps to the customer environment.
+4. DDoS traffic is mitigated at the edge and legitimate traffic is directed back to customer networks via [tunnels](/magic-wan/), or via [Cloudflare Network Interconnect](/network-interconnect/) (CNI) on ramps to the customer environment.
 
 More detailed information about Magic Transit capabilities can be found in the [Magic Transit Reference Architecture](/reference-architecture/architectures/magic-transit/).